how to setup MAC based authentication with LDAP

Matthew Newton mcn4 at leicester.ac.uk
Tue May 12 12:37:13 CEST 2015


On Tue, May 12, 2015 at 11:51:02AM +0200, Thomas Stather wrote:
> echo "Calling-Station-Id=f0:1f:af:35:c8:02" | radclient -s localhost:1812 auth radiusTest2015
> 
> I get an access-accept reply.

OK, at least your LDAP part is working.

> If i setup my AP and try to connect with a client where the MAC address is in LDAP i get:
> 
> Ready to process requests
> (2) Received Access-Request Id 9 from xxxxxxxxxx:44620 to xxxxxxxxxx:1812 length 167
> (2) User-Name = 'user'
> (2) NAS-IP-Address = xxxxxxxxxxxx
> (2) NAS-Identifier = '0418d66a5934'
> (2) NAS-Port = 0
> (2) Called-Station-Id = '0A-18-D6-6B-59-34:test'
> (2) Calling-Station-Id = '30-75-12-EE-63-AA'
> (2) Framed-MTU = 1400
> (2) NAS-Port-Type = Wireless-802.11
> (2) Connect-Info = 'CONNECT 0Mbps 802.11b'
> (2) EAP-Message = 0x0276000d017473746174686572

...

> rlm_ldap (ldap): Bind successful
> (2) EXPAND %{ldap:ldaps:///ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}
> (2) --> test01.mydomain.local
> (2) if (!"%{ldap:ldaps:///ou=hosts,dc=ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") -> FALSE
> (2) else {
> (2) update control {
> (2) Auth-Type := Accept
> (2) } # update control = noop
> (2) } # else = noop
> (2) } # authorize = updated
> (2) Found Auth-Type = Accept
> (2) Auth-Type = Accept, accepting the user
> 
> Is this ok from the RADIUS side? Because i still cannot get any
> connection using wifi (no DHCP request) and when using Windows 7
> i even get prompted for my credentials.
> What am i doing wrong?

You've got an EAP request, so you have to do EAP. You're just
checking the MAC address and sending back an Access-Accept, which
isn't going to work.

The NAS will see the Access-Accept above and prepare to allow the
wireless client on. The wireless client will never see an
EAP-Success, so will drop off and retry (so you see the request
for your credentials again).

You need to configure and use EAP of some type, though once you're
doing that, you can use the MAC address LDAP check as an
additional check as part of the authentication/authorization.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list